// SPDX-FileCopyrightText: 2025 UnionTech Software Technology Co., Ltd.
// SPDX-License-Identifier: MIT

package utils

import (
	"strings"
	"testing"
)

func TestSecurityIntegration_NewSecurityIntegration(t *testing.T) {
	// 测试默认配置
	si := NewSecurityIntegration(nil)
	if si == nil {
		t.Fatal("NewSecurityIntegration should not return nil")
	}

	if si.config == nil {
		t.Fatal("SecurityIntegration config should not be nil")
	}

	if si.securityUtils == nil {
		t.Fatal("SecurityIntegration securityUtils should not be nil")
	}

	// 测试自定义配置
	customConfig := &SecurityConfig{
		EnablePathSanitization:  false,
		EnableErrorSanitization: true,
		EnableEmailMasking:      false,
		EnableIPMasking:         true,
		DebugMode:               true,
	}

	siCustom := NewSecurityIntegration(customConfig)
	if siCustom.config.EnablePathSanitization {
		t.Error("Custom config EnablePathSanitization should be false")
	}
	if !siCustom.config.EnableErrorSanitization {
		t.Error("Custom config EnableErrorSanitization should be true")
	}
}

func TestSecurityIntegration_SafeErrorf(t *testing.T) {
	si := NewSecurityIntegration(DefaultSecurityConfig())

	// 测试基本的路径脱敏
	err := si.SafeErrorf("Failed to read file %s", "/home/user/secret/config.yaml")
	errMsg := err.Error()
	if strings.Contains(errMsg, "/home/user/secret/") {
		t.Error("SafeErrorf should sanitize sensitive path information")
	}
	if !strings.Contains(errMsg, "config.yaml") {
		t.Error("SafeErrorf should preserve filename")
	}
}

func TestSecurityIntegration_SanitizeValue(t *testing.T) {
	si := NewSecurityIntegration(DefaultSecurityConfig())

	// 测试字符串脱敏 - 验证基本功能
	result := si.SanitizeValue("/home/user/project/app.go")
	if resultStr, ok := result.(string); ok {
		// 主要验证敏感路径被清理
		if strings.Contains(resultStr, "/home/user/") {
			t.Error("SanitizeValue should sanitize sensitive path")
		}
	} else {
		t.Errorf("SanitizeValue expected string, got %T", result)
	}
}

func TestSecurityIntegration_ValidateAndSanitizePath(t *testing.T) {
	si := NewSecurityIntegration(DefaultSecurityConfig())

	// 测试空路径
	_, err := si.ValidateAndSanitizePath("")
	if err == nil {
		t.Error("ValidateAndSanitizePath should return error for empty path")
	}
}

func TestSecurityIntegration_SafeConfigDump(t *testing.T) {
	// 测试生产模式
	siProd := NewSecurityIntegration(DefaultSecurityConfig())
	config := map[string]string{"secret": "value", "path": "/home/user/config"}
	result := siProd.SafeConfigDump(config)
	if result != "[CONFIG_REDACTED_FOR_SECURITY]" {
		t.Errorf("SafeConfigDump in production mode should return redacted message, got %q", result)
	}

	// 测试调试模式
	debugConfig := DefaultSecurityConfig()
	debugConfig.DebugMode = true
	siDebug := NewSecurityIntegration(debugConfig)
	result = siDebug.SafeConfigDump(config)
	if result == "[CONFIG_REDACTED_FOR_SECURITY]" {
		t.Error("SafeConfigDump in debug mode should return actual config")
	}
}

func TestSecurityIntegration_CreateSafeErrorContext(t *testing.T) {
	si := NewSecurityIntegration(DefaultSecurityConfig())

	context := map[string]interface{}{
		"file_path":  "/home/user/secret/file.txt",
		"normal_key": "normal_value",
	}

	safeContext := si.CreateSafeErrorContext(context)

	// 检查敏感信息是否被脱敏
	if strings.Contains(safeContext["file_path"].(string), "/home/user/") {
		t.Error("Safe error context should not contain sensitive file path")
	}
	if safeContext["normal_key"] != "normal_value" {
		t.Error("Safe error context should preserve normal values")
	}
}

// 测试全局函数
func TestGlobalSecurityIntegrationFunctions(t *testing.T) {
	// 初始化全局安全配置
	InitGlobalSecurity(DefaultSecurityConfig())

	// 测试全局SanitizeString函数
	sanitized := SanitizeString("/home/user/project/app.go")
	if strings.Contains(sanitized, "/home/user/") {
		t.Error("Global SanitizeString should sanitize sensitive paths")
	}
}

func TestSecurityIntegration_DisabledFeatures(t *testing.T) {
	// 测试禁用所有安全功能
	config := &SecurityConfig{
		EnablePathSanitization:  false,
		EnableErrorSanitization: false,
		EnableEmailMasking:      false,
		EnableIPMasking:         false,
		DebugMode:               true,
	}

	si := NewSecurityIntegration(config)

	// 测试路径不被脱敏
	sanitizedPath := si.SafeFilePath("/home/user/secret.txt")
	if sanitizedPath != "/home/user/secret.txt" {
		t.Error("When path sanitization is disabled, path should not be changed")
	}

	// 测试错误信息不被脱敏
	sanitizedError := si.SafeErrorMessage("password=secret123")
	if sanitizedError != "password=secret123" {
		t.Error("When error sanitization is disabled, error message should not be changed")
	}

	// 测试邮箱不被屏蔽
	maskedEmail := si.SafeEmail("user@example.com")
	if maskedEmail != "user@example.com" {
		t.Error("When email masking is disabled, email should not be changed")
	}

	// 测试IP不被屏蔽
	maskedIP := si.SafeIP("192.168.1.100")
	if maskedIP != "192.168.1.100" {
		t.Error("When IP masking is disabled, IP should not be changed")
	}
}
